All data is security relevant is a mantra that security practitioners should get used to saying. But knowing what sources you need to tap into to improve your security posture can seem like a daunting task. It doesn’t need to be.
Data sources are a way companies solve the security issues causing them pain or issues that may cause harm. So what exactly is a data source? It can be almost anything from the machine data being generated by your existing firewall to online web logs. Just what data sources you tap into depends on your security use case.
There are already companies that have found unique ways to leverage machine data to work for their specific needs – whether they need to keep a server online, protect a city or to secure a department store’s cash registers. Let’s look at a few examples:
Equinix wanted a centralized security information and event management (SIEM) solution to give it a unified view into its global security infrastructure, while accelerating its time-to-value by hosting that solution in the cloud. To do this, Equinix tapped into the following data sources:
- Firewalls, VPNs and other security systems
- Intrusion Prevention and Detection Systems
- F5 load balancers
- Host-based intrusion management platform
- Microsoft Active Directory
- UNIX and Windows servers
The setup resulted in Equinix gaining operational visibility across its infrastructure — reducing 30 billion raw security events to about 12,000 correlated events and into 20 actionable alerts.
The City of Los Angeles needed a scalable SIEM solution but for different reasons. The nation’s second most populated city needed to secure its real time, citywide 24/7 surveillance network. The city set up a cloud-based SIEM solution to improve the protection of its digital assets, share security information with federal authorities and improve communication with the public the city serves. Los Angeles plugged into the following data sources to achieve its goals:
- Firewall logs
- FireEye Threat Prevention Platform
- Intrusion prevention/detection systems
- External threat intelligence feeds
- Switches and routers
Retail stores face unique security challenges compared to data centers and city governments. Stores must secure online accounts and point-of-sale (POS) systems, eliminate malware and other vulnerabilities, and keep up with stringent compliance standards.
One luxury retailer concerned about security breaches impacting its customers and brand reputation, installed an analytics-driven SIEM solution. The retailer needed an all-in-one solution to protect customer data as well as meet strict PCI and security compliance regulations. The retailer was able to get its SIEM up and running in six weeks by tapping into the following data sources:
- POS application logs
- Firewall syslogs
- Microsoft Windows events
- UNIX/Linux logs
- Juniper VPN syslogs
- F5 BigIP Load Balancer and F5 ASM syslogs
- SourceFire eStreamer syslogs
- Aruba switches syslogs
- CISCO ACS and IOS syslogs
- Web server logs
Are you interested in learning how machine data can support an analytics-driven SIEM solution and improve your security posture? See why Gartner named Splunk a leader for the fourth consecutive year.